Management VLAN and Service VLAN Recommendations

WLAN Troubleshooting Guide

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Management VLAN and Service VLAN Recommendations

This chapter analyzes impact of different combinations of service and management VLANs in direct and tunnel forwarding modes, and provides configuration recommendations.

Recommended Configuration

The following table summarizes the configuration impact and recommendations.

For easy description, the VLANs in the table are only examples.

Forwarding Mode	Service VLAN	Management VLAN	Configuration Impact	Recommended or Not
Direct forwarding	100	50	Recommended standard configuration.	Yes
	1	100	Management VLAN tags are added to user service packets, causing service disorder.	No
	100	1	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
	1	1	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
	100	100	Data is incorrectly forwarded.	Prohibited
Tunnel forwarding	100	50	Recommended standard configuration.	Yes
	1	100	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
	100	1	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
	1	1	Broadcast and multicast packets of wireless services are still forwarded to the wired interfaces on APs, which may affect AP performance.	No
	100	100	Broadcast and multicast packets of wireless services are still forwarded to the wired interfaces on APs, which may affect AP performance.	No

Impact of the Service VLAN and Management VLAN Configurations in Direct Forwarding Scenarios

Combination of Service and Management VLANs	Impact Analysis	Recommended Configuration
The service and management VLANs are different, and neither of them is 1.	Optimal standard configuration.	Recommended
The service and management VLANs are different, and the service VLAN ID is 1.	In direct forwarding mode, the service VLAN ID is 1. User packets are tagged with the service VLAN ID 1 by an AP. Due to particularity of VLAN 1, VLAN ID 1 is removed from the packets by default when they are sent out from an AP, an AC, or a switch. In this way, service packets sent out from the AP carry no service VLAN ID. When the packets reach the access switch, the access switch adds the management VLAN ID 100 to the packets. Therefore, service packets are tagged with the management VLAN ID, which does not conform to VLAN planning. As a result, some problems may be caused, for example: STAs obtain IP addresses from the management VLAN address pool, causing user service disorder, for example, user ACLs do not take effect. Portal authentication pages fail to be pushed after Portal authentication is configured.	Not recommended. To perform such configuration, analyze the networking and services.
The service and management VLANs are different, and the management VLAN ID is 1.	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	Not recommended
The service and management VLANs are both VLAN 1.	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	Not recommended
The service and management VLANs are the same but not 1.	For example, service VLAN 100 and management VLAN 100. Management packets sent out from APs do not carry VLAN IDs, while service packets carry the service VLAN ID 100. When management packets reach the access switch, the access switch adds the PVID 100 to the packets. The access switch transparently transmits service packets without processing their VLAN IDs. Downlink service packets of users carry the VLAN ID 100. When these packets are sent out from switch interfaces, the service VLAN ID is considered as the management VLAN ID and removed. When the service packets reach an AP, they are considered as management packets and discarded by the AP. As a result, services are interrupted.	Prohibited.

Impact of the Service VLAN and Management VLAN Configurations in Tunnel Forwarding Scenarios

Combination of Service and Management VLANs	Impact Analysis	Recommended or Not
The service and management VLANs are different, and neither of them is 1.	Optimal standard configuration.	Yes
The service and management VLANs are different, and the service VLAN ID is 1.	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
The service and management VLANs are different, and the management VLAN ID is 1.	Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.	No
The service and management VLANs are both VLAN 1.	Uplink direction: STA -> AP -> AC -> upper-layer network. Assume that a STA sends a broadcast packet in VLAN 1. This packet is encapsulated with a CAPWAP header by the AP and reaches the AC carrying the management VLAN ID 1. After decapsulating the CAPWAP packet, the AC finds that it is a broadcast packet (carrying service VLAN ID 1) sent by the STA, and broadcasts it. One copy of the packet will be sent back to the AC and then to the AP. In this way, which may cause user service interruption.	No
The service and management VLANs are the same but not 1.	For example, service VLAN 100 and management VLAN 100. In the simple networking with a STA, an AP, and an AC, the AC with the IP address of 10.1.1.1 and MAC address of AAAA-BBBB-CCCC serves as the user gateway. The AP's IP address is 10.1.1.2, and its management VLAN is VLAN 100. The STA's IP address is 10.1.1.254, and its service VLAN is VLAN 100. A service packet is forwarded from the upper-layer network to the STA as follows: upper-layer network -> AC -> access switch -> AP -> STA. The inner Layer 2 header of the packet is as follows: Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the service VLAN. In tunnel forwarding mode, a packet sent to the STA is encapsulated with an outer CAPWAP header on the AC. The outer CAPWAP header is as follows: Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the management VLAN. When this packet reaches the AP through the wired interface, the inner Layer 2 header is invisible for the AP. The AP can only detect the outer CAPWAP header and then a physical interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC. The MAC address table is as follows: ------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------- AAAA-BBBB-CCCC 100/- GE0/0/0 dynamic ------------------------------------------------------- For a packet carrying the CAPWAP header sent to the STA, the AP decapsulates the packet to expose the inner Layer 2 header. The CAPWAP tunnel interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC again. The MAC address table is as follows: ------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------- AAAA-BBBB-CCCC 100/- CAPWAP dynamic ------------------------------------------------------- In this way, the AC's MAC address learned by the AP maps two outbound interfaces GE0/0/0 and CAPWAP, causing packet forwarding disorder and service exceptions.	No

Recommendations for Creating and Allowing Management VLANs and Service VLANs in Different Forwarding Modes

In direct forwarding mode

If the AC is deployed in inline mode, to create a management VLAN and a service VLAN on the AC. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AP and upper-layer network to allow packets from the service VLAN to pass through.
If the AC is deployed in bypass mode, create a management VLAN on the AC, and determine whether to create a service VLAN based on the site requirements. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AP and upper-layer network to allow packets from the service VLAN to pass through.
If the AC serves as the user gateway, create the service VLAN on the AC.

If the AC does not serve as the user gateway, service data does not pass through the AC. Therefore, the service VLAN configuration is usually not required on the AC. However, if 802.1X authentication is used, authentication packets need to be forwarded through a CAPWAP tunnel. In this case, you must create the service VLAN on the AC.
Operations on the CLI and web platform are as follows:
- On the CLI:
  Create service VLANs on the AC in any version.
- On the web platform:
  For versions earlier than V200R008, create service VLANs on the AC. For V200R008 and later versions, the system automatically creates a service VLAN when you perform service VLAN configurations.

In tunnel forwarding mode

In tunnel forwarding mode, the management VLAN and service VLAN must be created on the AC regardless of whether the AC is deployed in inline or bypass mode. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AC and upper-layer network to allow packets from the service VLAN to pass through.

Recommended Configuration
Impact of the Service VLAN and Management VLAN Configurations in Direct Forwarding Scenarios
Impact of the Service VLAN and Management VLAN Configurations in Tunnel Forwarding Scenarios
Recommendations for Creating and Allowing Management VLANs and Service VLANs in Different Forwarding Modes

Translation

简体中文

Download

Updated: 2023-06-02

Document ID: EDOC1000060368

Downloads: 5813

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate